Neiman Marcus disclosed in January it was affected by the same kind of hacking, while two other companies, the arts and crafts chain Michaels and the hotel management company White Lodging Services, are also investigating suspected breaches.

Banks and card issuers replace cards used fraudulently. For stolen cards that have not been fraudulently used, they frequently opt not to reissue cards since it is expensive and is inconvenient for their customers.

The glut of stolen card details on underground marketplaces has likely caused a large drop in so-called "new account fraud," where criminals amass a person's personal information in order to open financial accounts. New account fraud fell from $10 billion in 2012 to just $3 billion 2013, Javelin said.

Although the financial industry has improved checks around creating new accounts, the "less rosy explanation of fraudsters' abandonment of new-account fraud is that it is simply becoming too easy to make a buck by misusing and taking over existing accounts," the report said.

The cost of fraud caused by criminals abusing payment cards and other accounts, such as checking, savings and loan accounts, jumped by 36 percent to $16 billion, up from $11 billion in 2012, Javelin said. About 5 percent of U.S. consumers were affected in 2013.

"For only a few dollars, criminals can purchase card numbers or other account credentials," the report said. "The misuse of existing account credentials is a less onerous process than opening a new account in many cases."

Pascual said people using payment cards are always on the defense.

"When it comes to figuring out whether or not you are going to be a victim of a data breach, it's a crap shoot," he said. "If you monitor your accounts, you are in a better position. There are so many breaches. You can't expect your bank to replace your card every time it happens."